Injunctive Relief Claims for GDPR Violations: The OLG Frankfurt Ruling
In a landmark ruling dated March 30, 2023 (case number: 16 U 22/22), the Higher Regional Court of Frankfurt am Main decided that data subjects are not entitled to injunctive relief if their personal data is transferred to third parties in violation of the General Data Protection Regulation (GDPR). This ruling has been met with significant criticism. Many believe it makes it more difficult to enforce data protection rights effectively. Clarification by the Federal Supreme Court (BGH) would be highly desirable to resolve the current legal uncertainty.
Details of the OLG Frankfurt Ruling on Injunctive Relief
The plaintiff in this case had sued an online store for injunctive relief. The claim was based on the allegation that the store had forwarded personal data, such as IP addresses and usage data, to third-party providers like Google, when its website was accessed.
No Injunctive Relief under GDPR Articles 17 and 82
The Frankfurt am Main Higher Regional Court ultimately rejected the claim for injunctive relief. It stated that neither Article 17 nor Article 82 of the GDPR provides a basis for such a claim. Article 17 of the GDPR primarily grants a right to the deletion of data. While an injunctive relief claim might be derived from this regarding data storage, it does not extend to the transmission of data to third parties.
According to the court, Article 82 GDPR, which addresses the right to compensation, requires concrete damage. Such damage was not demonstrated in this particular case (OLG Frankfurt am Main, judgment of March 30, 2023, Case No. 16 U 22/22, para. 63).
Exclusion of National Claims
The court also ruled out national claims for injunctive relief under Section 1004 BGB in conjunction with Section 823 BGB. The Higher Regional Court of Frankfurt am Main argued that the GDPR, as fully harmonized EU law, contains conclusive provisions. Therefore, there was no opening clause for national law to apply.
The "remedies" mentioned in Article 79 GDPR refer only to procedural, not substantive claims. The court concluded that legal protection under individual law was deliberately restricted in favor of "public enforcement" by the data protection supervisory authorities (OLG Frankfurt am Main, loc. cit., para. 76 et seq.).
Reactions to the Frankfurt Higher Regional Court's Decision
The ruling has evoked mixed reactions. Data protectionists criticize that the rights of data subjects will be severely restricted. They perceive an effective enforcement of data privacy to be at risk.
For companies and website operators, however, the ruling strengthens their position. It potentially lowers the liability risk in the event of data protection violations, provided no concrete damage can be proven.
In the broader legal discussion, the view of the OLG Frankfurt am Main is not universally accepted. Another perspective suggests that substantive claims can indeed arise from Article 79 GDPR. Proponents of this view argue that restricting individual legal protection contradicts the principle of effectiveness of Union law.
It remains questionable whether the restrictive approach of the OLG Frankfurt am Main is correct. In any case, the ruling highlights that for GDPR violations, data subjects primarily have recourse through complaints to the competent data protection supervisory authority. Individual claims against the responsible party are now possible only to a limited extent.
Critical Evaluation: Was the OLG Frankfurt Ruling Incorrect?
Several data protection experts believe the OLG Frankfurt am Main misinterpreted the legal situation. They present the following arguments:
- Article 79 GDPR guarantees data subjects an effective judicial remedy, from which a claim for injunctive relief can also be derived.
- The GDPR does not conclusively exclude supplementary national regulations. Consequently, national claims such as § 823 BGB should still be applicable. (Note: The Higher Regional Court of Frankfurt am Main specifically rejected a claim based on § 1004 BGB).
- Restricting individual legal protection conflicts with the principle of effectiveness of Union law.
- Without individual claims for injunctive relief, the GDPR cannot be effectively enforced. Relying solely on complaints to data protection authorities is often insufficient.
Call for Clarity from the Federal Supreme Court (BGH)
Given the legal uncertainties stemming from the Frankfurt am Main Higher Regional Court's ruling, it is hoped that the Federal Supreme Court (BGH) will soon have the opportunity to address the issue of injunctive relief. Only the BGH can establish a uniform legal interpretation at the highest instance.
Until such clarification, the legal situation remains ambiguous for both affected individuals and website operators. Injunctive claims for data privacy violations face reduced prospects of success due to the restrictive view adopted by the Frankfurt am Main Higher Regional Court. Conversely, website operators are not automatically liable for injunctive relief in cases of infringements. Future cases will likely depend even more heavily on a detailed case-by-case assessment.
Conclusion
The landmark ruling by the Frankfurt am Main Higher Regional Court significantly restricts the enforcement of data privacy law through individual claims. Whether this aligns with the principle of effectiveness of Union law remains debatable. Therefore, a supreme court clarification by the BGH is highly desirable. Until then, considerable legal uncertainty persists for both data subjects and website operators concerning data privacy violations.